From abb6cf7aa62afa43a05fd1b96a7018d76b863bc9 Mon Sep 17 00:00:00 2001
From: Andrew Pearce <andrew.pearce@digital.justice.gov.uk>
Date: Thu, 2 Nov 2023 13:53:34 +0000
Subject: [PATCH] MLPAB-1470 - Create gateway endpoints for DynamoDB and S3
 (#778)

* create endpoint in app subnet

* upgrade lock

* add ddb vpce

* add s3 endpoint

* add ecr endpoints

* add policy conditions to allow ECR access via VPCe
---
 terraform/account/.terraform.lock.hcl         |  34 ++---
 terraform/account/region/vpc_endpoints.tf     | 118 +++++++++---------
 terraform/environment/.terraform.lock.hcl     |  12 --
 .../region/iam_execution_policy.tf            |   2 +
 4 files changed, 81 insertions(+), 85 deletions(-)

diff --git a/terraform/account/.terraform.lock.hcl b/terraform/account/.terraform.lock.hcl
index f8c3db1cae..25b6e82bcf 100644
--- a/terraform/account/.terraform.lock.hcl
+++ b/terraform/account/.terraform.lock.hcl
@@ -2,22 +2,24 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "5.23.0"
-  constraints = "~> 5.23.0"
+  version     = "5.23.1"
+  constraints = ">= 5.5.0, ~> 5.23.0"
   hashes = [
-    "h1:7S/Z+8JLD7cRPTZ+do3sca7TDmk4akW9elTiJjCwtAE=",
-    "h1:AwjyBYctD8UKCXcm+kLJfRjYdUYzG0hetStKrw8UL9M=",
-    "h1:E7XBEW8pGlRvR4ZM9ifuE5uvQRTLDFzhO0V0NDkzGyY=",
-    "h1:HsDIvq0/RsfBdID2tQ7SzJXxZ88SLiXIEewIfG+h1yw=",
-    "h1:SVR5C6CrB1ZFJ5VdktDa2d2U6BwYOZVTAOOWOccWM6I=",
-    "h1:TELLD09+JVugSUXP2VTG/gaqEaSiBfF/YI/a0S1wmu8=",
-    "h1:WqyPdAf7aVH5+ItnghPmnBTDaNr2VPQBd/lxYU1PCBM=",
-    "h1:aXanfqwC+w6b0WlnAbH3+1rW8Rm9ltpJwx3//Bk0Z2Y=",
-    "h1:dNxn78qVLsN5IW82/BqlMXbdSxdh6Dq1hfiEu5AjRyM=",
-    "h1:i0ONGrnIRQU0K8BeG2yr0KrkmOAfdRnoPo+zatGkJ4k=",
-    "h1:jV3S2mVUT0sc3pxG6XrQLizk5epHYEFd8Eh1Wciw4Mw=",
-    "h1:mwXlgcIQ+4+cFj507gcASdedCoKDJfvUQ8CKAq+VkEw=",
-    "h1:p0P8JCRiFNiRyRLY0QKCwa1h8BaBOtBbqNbsfaGmYSw=",
-    "h1:yxaBYIz7ijM0MDABdDu8WVZAlP3b6T+cH9XshEIXeUc=",
+    "h1:keD9rGwuFbn70D1npMx486xFsSP/TtyNa6E0AgVJY1U=",
+    "zh:024a188ad3c979a9ec0d7d898aaa90a3867a8839edc8d3543ea6155e6e010064",
+    "zh:05b73a04c58534a7527718ef55040577d5c573ea704e16a813e7d1b18a7f4c26",
+    "zh:13932cdee2fa90f40ebaa783f033752864eb6899129e055511359f8d1ada3710",
+    "zh:3500f5febc7878b4426ef89a16c0096eefd4dd0c5b0d9ba00f9ed54387df5d09",
+    "zh:394a48dea7dfb0ae40e506ccdeb5387829dbb8ab00fb64f41c347a1de092aa00",
+    "zh:51a57f258b3bce2c167b39b6ecf486f72f523da05d4c92adc6b697abe1c5ff1f",
+    "zh:7290488a96d8d10119b431eb08a37407c0812283042a21b69bcc2454eabc08ad",
+    "zh:7545389dbbba624c0ffa72fa376b359b27f484aba02139d37ee5323b589e0939",
+    "zh:92266ac6070809e0c874511ae93097c8b1eddce4c0213e487c5439e89b6ad64d",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9c3841bd650d6ba471c7159bcdfa35200e5e49c2ea11032c481a33cf7875879d",
+    "zh:bd103c46a16e7f9357e08d6427c316ccc56d203452130eed8e36ede3afa3322c",
+    "zh:cab0a16e320c6ca285a3a51f40c8f46dbaa0712856594819b415b4d8b3e63910",
+    "zh:e8adedcda4d6ff47dcae9c9bb884da26ca448fb6f7436be95ad6a341e4d8094a",
+    "zh:fc23701a3723f50878f440dcdf8768ea96d60a0d7c351aa6dfb912ad832c8384",
   ]
 }
diff --git a/terraform/account/region/vpc_endpoints.tf b/terraform/account/region/vpc_endpoints.tf
index c6ffc6980f..5d00bfe257 100644
--- a/terraform/account/region/vpc_endpoints.tf
+++ b/terraform/account/region/vpc_endpoints.tf
@@ -31,8 +31,8 @@ resource "aws_security_group_rule" "vpc_endpoints_public_subnet_ingress" {
 locals {
   interface_endpoint = toset([
     "ec2",
-    # "ecr.api",
-    # "ecr.dkr",
+    "ecr.api",
+    "ecr.dkr",
     "execute-api",
     "events",
     "logs",
@@ -78,67 +78,71 @@ resource "aws_vpc_endpoint_policy" "private" {
   })
 }
 
-data "aws_route_tables" "public" {
+data "aws_route_tables" "application" {
   provider = aws.region
   filter {
     name   = "tag:Name"
-    values = ["public-route-table"]
+    values = ["application-route-table"]
   }
 }
 
-# resource "aws_vpc_endpoint" "s3" {
-#   provider          = aws.region
-#   vpc_id            = module.network.vpc.id
-#   service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
-#   route_table_ids   = tolist(data.aws_route_tables.public.ids)
-#   vpc_endpoint_type = "Gateway"
-#   policy            = data.aws_iam_policy_document.s3_vpc_endpoint.json
-#   tags              = { Name = "s3-private-${data.aws_region.current.name}" }
-# }
+resource "aws_vpc_endpoint" "s3" {
+  provider          = aws.region
+  vpc_id            = module.network.vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.s3"
+  route_table_ids   = tolist(data.aws_route_tables.application.ids)
+  vpc_endpoint_type = "Gateway"
+  policy            = data.aws_iam_policy_document.s3.json
+  tags              = { Name = "s3-private-${data.aws_region.current.name}" }
+}
 
-# data "aws_iam_policy_document" "s3_vpc_endpoint" {
-#   provider = aws.region
-#   statement {
-#     sid       = "S3VpcEndpointPolicy"
-#     actions   = ["s3:*"]
-#     resources = ["*"]
-#     principals {
-#       type        = "AWS"
-#       identifiers = ["*"]
-#     }
-#     condition {
-#       test     = "StringEquals"
-#       variable = "aws:PrincipalAccount"
-#       values   = [data.aws_caller_identity.current.account_id]
-#     }
-#   }
-# }
+resource "aws_vpc_endpoint" "dynamodb" {
+  provider          = aws.region
+  vpc_id            = module.network.vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
+  route_table_ids   = tolist(data.aws_route_tables.application.ids)
+  vpc_endpoint_type = "Gateway"
+  policy            = data.aws_iam_policy_document.allow_account_access.json
+  tags              = { Name = "dynamodb-private-${data.aws_region.current.name}" }
+}
 
-# resource "aws_vpc_endpoint" "dynamodb" {
-#   provider          = aws.region
-#   vpc_id            = module.network.vpc.id
-#   service_name      = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
-#   route_table_ids   = tolist(data.aws_route_tables.public.ids)
-#   vpc_endpoint_type = "Gateway"
-#   policy            = data.aws_iam_policy_document.dynamodb_vpc_endpoint.json
-#   tags              = { Name = "dynamodb-private-${data.aws_region.current.name}" }
-# }
 
-# data "aws_iam_policy_document" "dynamodb_vpc_endpoint" {
-#   provider = aws.region
-#   statement {
-#     sid       = "DynamoDBVpcEndpointPolicy"
-#     effect    = "Allow"
-#     actions   = ["dynamodb:*"]
-#     resources = ["*"]
-#     principals {
-#       type        = "AWS"
-#       identifiers = ["*"]
-#     }
-#     condition {
-#       test     = "StringEquals"
-#       variable = "aws:PrincipalAccount"
-#       values   = [data.aws_caller_identity.current.account_id]
-#     }
-#   }
-# }
+
+data "aws_iam_policy_document" "allow_account_access" {
+  provider = aws.region
+  statement {
+    sid       = "Allow-callers-from-specific-account"
+    effect    = "Allow"
+    actions   = ["*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "s3" {
+  source_policy_documents = [
+    data.aws_iam_policy_document.allow_account_access.json,
+    data.aws_iam_policy_document.s3_bucket_access.json,
+  ]
+}
+
+data "aws_iam_policy_document" "s3_bucket_access" {
+  statement {
+    sid       = "Access-to-specific-bucket-only"
+    effect    = "Allow"
+    actions   = ["s3:GetObject"]
+    resources = ["arn:aws:s3:::prod-${data.aws_region.current.name}-starport-layer-bucket/*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
diff --git a/terraform/environment/.terraform.lock.hcl b/terraform/environment/.terraform.lock.hcl
index 5a0729d84e..4c16d0bd1b 100644
--- a/terraform/environment/.terraform.lock.hcl
+++ b/terraform/environment/.terraform.lock.hcl
@@ -47,18 +47,6 @@ provider "registry.terraform.io/pagerduty/pagerduty" {
   version     = "3.1.0"
   constraints = ">= 2.16.0, ~> 3.1.0"
   hashes = [
-    "h1:0toSoCiyVN9rmcwZYwfOPHtahVgU7vPWi2JKQNRMAS8=",
-    "h1:444AVDTesJfLt0WMd9ifMDYMBWhpaKquWSu0F3yyp5w=",
-    "h1:4ek51+3eidEvPCwjQwAA9NzjscshHCXm0d1X3QHVzH8=",
-    "h1:6UpWprDDtDR3AP9wm8J/TcrmGkr/QhYK79ihIB2N4t4=",
-    "h1:HmJe2yCKzKuSdu2aQXyWsZ2kT4Z0AgVsHtzQNYi3nb4=",
-    "h1:T/NQm8oVLmInSj/77esKnXcWR49uy9w5fV0SgYBoIlE=",
-    "h1:UBZGiJZp2fJ8U19Mh16hiaqve9JxtRBl0ATswnB3tMs=",
-    "h1:UEaBo9CW33AmOHVUcQLXp7C+TjlYf3OLhRFvRkKosYE=",
-    "h1:UkJdDjDM5hpPGkkOqtOqYQfKLi/tC7/LlgJ1D4+6Z5E=",
-    "h1:dMclW5RZdfZ1Wy6d8Nfxkiyf81cJAdZ5+LGgQC3sIeg=",
-    "h1:l6DTbuwFKkLzK5P+i77YQ3ZOVKfYuGFu8Qs/YUGtFlI=",
-    "h1:mbCUhjWoemCMasqrLJLjLvB1w3BXO/UFN8gdM8Hx6M8=",
     "h1:qks14qeSHFsstzTdtNe+7l+tmc2/sRVtzixlrNvmlMw=",
     "zh:01039fe438097a7adc795fb7dce21b2103685089ae57b35d568d2efbb1b24d0f",
     "zh:09cc1625756ad6f55a60b3b6558b3138cf00aaf6ef43cd66f71e91250ab6286a",
diff --git a/terraform/environment/region/iam_execution_policy.tf b/terraform/environment/region/iam_execution_policy.tf
index cb5b7f309d..ff143e1868 100644
--- a/terraform/environment/region/iam_execution_policy.tf
+++ b/terraform/environment/region/iam_execution_policy.tf
@@ -23,6 +23,7 @@ data "aws_iam_policy_document" "execution_role_region" {
       "secretsmanager:GetSecretValue",
     ]
   }
+
   statement {
     effect = "Allow"
 
@@ -39,5 +40,6 @@ data "aws_iam_policy_document" "execution_role_region" {
       "kms:DescribeKey",
     ]
   }
+
   provider = aws.global
 }